DefGuard
diff --git a/‎public/images/blog/mfa-isnt-an-addon/defguard-acl-overview.png‎
91 KB b/‎public/images/blog/mfa-isnt-an-addon/defguard-acl-overview.png‎
91 KB
diff --git a/‎public/images/blog/mfa-isnt-an-addon/defguard-prusa-location.png‎
17.4 KB b/‎public/images/blog/mfa-isnt-an-addon/defguard-prusa-location.png‎
17.4 KB
diff --git a/‎public/images/blog/mfa-isnt-an-addon/mfa-hero.png‎
2.31 MB b/‎public/images/blog/mfa-isnt-an-addon/mfa-hero.png‎
2.31 MB
diff --git a/‎src/content/blog/mfa-isnt-an-addon.mdx‎
Lines changed: 212 additions & 0 deletions b/‎src/content/blog/mfa-isnt-an-addon.mdx‎
Lines changed: 212 additions & 0 deletions
@@ -0,0 +1,212 @@
+---
+title: "Security shouldn't cost extra — MFA isn't an add-on"
+publishDate: 2025-11-05
+description: "MFA is mandatory under frameworks like NIS2. See why legacy VPNs sell it as an add-on, how that creates cost and risk, and how Defguard builds it in by default."
+author: "Robert (Co-Founder, Defguard)"
+image: "/images/blog/mfa-isnt-an-addon/mfa-hero.png"
+---
+
+![Security shouldn't cost extra — MFA isn't an add-on](/images/blog/mfa-isnt-an-addon/mfa-hero.png)
+
+## Table of Contents
+- [The Hidden "Security Tax": The True Cost of a Fragmented Model](#the-hidden-security-tax-the-true-cost-of-a-fragmented-model)
+- [Security by Design: The FortiToken Alternative](#security-by-design-the-fortitoken-alternative)
+- [Defguard in Practice: The Prusa Research Case](#defguard-in-practice-the-prusa-research-case)
+- [The Real Choice: A Fragmented Model vs. A Unified Foundation](#the-real-choice-a-fragmented-model-vs-a-unified-foundation)
+- [Frequently Asked Questions (FAQ)](#frequently-asked-questions-faq)
+
+To comply with standards like [NIS2](/blog/mfa-wireguard-nis2-compliance), Multi-Factor Authentication (MFA) has become a baseline requirement, not an option.
+
+Yet in most enterprise VPNs, fundamentals such as MFA, SSO, and identity management are still treated as extras; not for technical reasons, but because separating them is profitable.
+
+The result is predictable: organizations end up buying their security in fragments just to meet compliance. This leads to increased Total Operating Costs and time lost on stitching MFA and VPN together.
+
+The problem isn't technical; it's commercial. Vendors have learned to turn essential protection into a series of recurring upgrades.
+
+This article breaks down how that model works — and how Defguard was designed to solve it.
+
+## The Hidden "Security Tax": The True Cost of a Fragmented Model
+
+When basic security requirement is sold as a separate product, expenses rise fast — not just in licensing, but in complexity and risk.
+
+### 1. The Licensing Cost
+
+The "security tax" is unpredictable. The appliance price looks reasonable, but then you must add per-user MFA tokens and SSO or identity module licenses. The cost keeps scaling with your headcount, not your security.
+
+### 2. The Operational Cost
+
+This is the pain system admins feel. Every add-on, like separate MFA modules or token licenses, adds more components to configure, maintain, and update. Each new piece introduces another integration point, another dependency, and another potential failure.
+
+**Our Fix:**
+
+Defguard runs as a single, unified platform, ready to deploy in minutes and built to integrate with your existing environment.
+
+From one admin panel, you can manage users, groups, devices, and MFA settings, define access policies, and monitor connections, all without switching between tools.
+
+![Defguard Admin Dashboard — users, groups, devices, MFA settings, and access policies overview](/images/blog/mfa-isnt-an-addon/defguard-acl-overview.png)
+*All security layers in one place — users, devices, MFA policies, and access rules.*
+
+### 3. When Security Becomes Optional
+
+The real risk? Because MFA is a separate purchase, some departments may skip it to save budget. That creates inconsistent protection — the exact kind of compliance gap auditors find and attackers exploit.
+
+**Our Fix:**
+
+In Defguard, MFA isn't a license you can skip, it's part of the core platform. You cannot have a compliance gap when the secure baseline is the only baseline.
+## Security by Design: The FortiToken Alternative
+
+We believe the legacy model is broken. Security isn't something you add — it's something you build on.
+
+A modern VPN shouldn't upsell you MFA; it should deliver it by design. That's the principle behind Defguard.
+
+### How We Do It: A Unified Platform
+
+Defguard is a self-hosted, unified solution where identity and access control are part of the same architecture. Here's what that means in practice:
+
+#### 1. Built-in User Management (IdP)
+
+Defguard includes a native user database (often called an Identity Provider or IdP) as a core service.
+
+This is where you manage your users and groups directly — no premium extensions or add-ons. [Learn how Defguard works as an SSO provider](https://docs.defguard.net/admin-and-features/openid-connect) for your organization.
+
+#### 2. Built-in Multi-Factor Authentication (MFA)
+
+Defguard also handles MFA as a core service, supporting standard time-based one-time passwords (TOTP) from authenticator apps such as Google Authenticator or Microsoft Authenticator — no proprietary tokens required. [Explore Defguard's built-in MFA](https://defguard.net/features/mfa).
+
+#### 3. Integration with Your Existing Tools
+
+For organizations already using external identity systems like Microsoft Entra ID, Google Workspace, Okta, or JumpCloud, Defguard provides native integration.
+
+It uses the standard OpenID Connect (OIDC) protocol to securely connect to systems like Microsoft Entra ID, Google Workspace, Okta, or JumpCloud, letting users log in with their existing accounts. You can [see detailed SSO integration examples in our documentation](https://docs.defguard.net/admin-and-features/external-openid-providers).
+
+![Defguard unified architecture — distributed locations overview](/images/blog/mfa-isnt-an-addon/defguard-prusa-location.png)
+*Unified architecture — one core, one proxy, multiple locations.*
+
+### The Proof: It's in Our Open Source Plan
+
+These security capabilities are not tiered upsells.
+
+The ultimate proof is in our design: our Open Source plan includes both the built-in user database (IdP) and connection-level MFA from the start.
+
+This is the difference between a system built for upsell and one built for security.
+## Defguard in Practice: The Prusa Research Case
+
+This isn't theoretical. **Prusa Research** needed to scale their VPN for over 500 users, including production-floor devices and remote employees.
+
+A fragmented model would have forced them to manage hundreds of separate token licenses and deal with complex identity integrations.
+
+This was not a scalable or efficient solution.
+
+**How we solved their problem:**
+
+They chose Defguard because it's a single, unified platform. Because MFA is built-in, there are no token licenses to manage. Their IT team can provision a new user with MFA enabled in seconds, all from one place. When a user connects, Defguard enforces MFA as part of the connection process itself.
+
+**The outcome is simple:**
+
+100% of their VPN users have MFA enabled, because MFA isn't a license you can skip, it's part of the core platform.
+## The Real Choice: A Fragmented Model vs. A Unified Foundation
+
+The problem with the legacy model is clear: you are forced to pay an enormous extra cost for MFA just to be compliant.
+
+This isn't an accident. It's the result of a business model designed to sell you security in separate, expensive pieces.
+
+Legacy VPNs treat security as a catalog of features; Defguard treats it as a foundation.
+
+If you're facing another license renewal and see a "security tax" on your invoice, maybe it's time to move from a fragmented solution to a foundational one.
+
+**See what built-in security looks like.**
+
+[Book a Demo](/book-a-demo) and explore Defguard's modern VPN with MFA included.
+## Frequently Asked Questions (FAQ)
+
+**How much does Fortinet MFA cost?**
+
+Fortinet's MFA isn't a single price. It often requires separate purchases like FortiToken (for MFA) and FortiAuthenticator (for identity).
+
+These components are necessary for compliance and make the true TCO much higher than the base price — [see FortiToken licensing details](https://www.fortinet.com/products/fortitoken).
+
+**Is FortiToken required for Fortinet VPN MFA?**
+
+Yes. In most FortiGate VPN configurations, FortiToken is the required component to enable MFA — as hardware or mobile tokens, licensed per user ([setup guide](https://docs.fortinet.com/document/fortigate/latest/administration-guide/fortitoken)).
+
+**What is a good FortiToken alternative?**
+
+A modern alternative to token-based MFA systems. Defguard includes Multi-Factor Authentication as a built-in feature — supporting standard TOTP codes from authenticator apps (like Google Authenticator) and a native user database (IdP) in every deployment. [Learn more about Defguard VPN with built-in MFA](https://defguard.net/features/mfa).
+
+**Are there VPNs with MFA included in the base price?**
+
+Yes. Defguard, as a modern WireGuard®-based platform, includes MFA by default — built into every deployment, with no extra licensing or modules.
+<script type="application/ld+json" is:inline>
+{`{
+  "@context": "https://schema.org",
+  "@graph": [
+    {
+      "@type": "BlogPosting",
+      "headline": "Security shouldn't cost extra — MFA isn't an add-on",
+      "description": "MFA is mandatory under frameworks like NIS2. Learn why legacy VPNs sell it as an add-on and how Defguard builds it in by default.",
+      "image": "https://defguard.net/images/blog/mfa-isnt-an-addon/mfa-hero.png",
+      "author": {
+        "@type": "Person",
+        "name": "Robert",
+        "jobTitle": "Co-Founder",
+        "affiliation": {
+          "@type": "Organization",
+          "name": "Defguard"
+        }
+      },
+      "publisher": {
+        "@type": "Organization",
+        "name": "Defguard",
+        "logo": {
+          "@type": "ImageObject",
+          "url": "https://defguard.net/svg/logo-full.svg"
+        }
+      },
+      "datePublished": "2025-11-05",
+      "mainEntityOfPage": {
+        "@type": "WebPage",
+        "@id": "https://defguard.net/blog/mfa-isnt-an-addon/"
+      },
+      "articleSection": "Security, VPN, MFA, WireGuard",
+      "keywords": ["MFA", "FortiToken", "WireGuard", "NIS2", "VPN", "Defguard", "SSO", "IdP"]
+    },
+    {
+      "@type": "FAQPage",
+      "mainEntity": [
+        {
+          "@type": "Question",
+          "name": "How much does Fortinet MFA cost?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "Fortinet's MFA isn't a single price. It often requires separate purchases like FortiToken (for MFA) and FortiAuthenticator (for identity). These components are necessary for compliance and make the true TCO much higher than the base price."
+          }
+        },
+        {
+          "@type": "Question",
+          "name": "Is FortiToken required for Fortinet VPN MFA?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "Yes. In most FortiGate VPN configurations, FortiToken is the required component to enable MFA — as hardware or mobile tokens, licensed per user."
+          }
+        },
+        {
+          "@type": "Question",
+          "name": "What is a good FortiToken alternative?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "A modern alternative to token-based MFA systems. Defguard includes Multi-Factor Authentication as a built-in feature — supporting standard TOTP codes from authenticator apps (like Google Authenticator) and a native user database (IdP) in every deployment. There's no need for separate hardware or mobile tokens."
+          }
+        },
+        {
+          "@type": "Question",
+          "name": "Are there VPNs with MFA included in the base price?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "Yes. Defguard, as a modern WireGuard®-based platform, includes MFA by default — built into every deployment, with no extra licensing or modules."
+          }
+        }
+      ]
+    }
+  ]
+}`}
+</script>